بحسب أحدث الدراسات التقنية التي أجريت على الهواتف الذكية فقد تمكن باحثون من اكتشاف ورصد أكثر من تطبيق خاص ببطاريات الهواتف الذكية يمكنها أن تسرب معلومات المستخدم الى جهة ما، كما يمكن من خلال هذه التطبيقات تتبع المستخدم المستهدف وتحديد مكان تواجده بدقة.
وبموجب ما انتهت اليه هذه الدراسة فان تتبع شخص ما أو تحديد مكانه والتجسس عليه لا يحتاج الى تشغيل الخدمات التقليدية التي يعتقد الناس أنها تحدد مكان الشخص أو مكان الهاتف، مثل خدمات الـ»جي بي أس» أو الارتباط بشبكة «واي فاي»، أو الاتصال بالانترنت اللاسلكي الذي يتيح لمزود الخدمة تحديد موقع المستخدم.
وبحسب الباحثين بجامعة «ستامفورد» في بنغلاديش والذين أجروا الدراسة فان اكثر من 100 تطبيق هاتفي جميعها تستخدم للعمل مع بطاريات الهاتف، لديها القدرة على تجميع حركات الشخص وتحديد تنقلاته وأماكن تواجده، وبالتالي يمكن استخدامها كأدوات تتبع لأي شخص مستهدف، ويمكّن من رسم خريطة لتحركاته وبالتالي تتم بالتحديد معرفة الأماكن التي ذهب اليها والمكان الموجود فيه حالياً.
ومن المعروف أن الهواتف المحمولة سهلت على الأجهزة الحكومية وعلى مزودي خدمات الاتصالات في العالم تتبع الأشخاص، حيث يمكن تحديد البرج الذي يتلقى منه أي هاتف محمول الاشارة، وبالتالي تحديد المنطقة التي يتواجد فيها صاحب هذا الهاتف، فضلاً عن أن دقة الاشارة يمكن أن تحدد مدى قرب أو بعد الشخص عن البرج الذي يزوده بالخدمة، بما يجعل الهاتف المحمول وسيلة تتبع لحركة اي شخص في العالم، إلا أن الجديد في الدراسة أن العديد من التطبيقات على الهواتف الذكية يمكن أن توفر معلومات مكانية عن المستخدم لطرف ثالث، اي لجهة غير المستخدم ومزود الخدمة.
Sent from my iPadc
A Future-Proof Investment
The Cisco Unified Computing System gives data centers room to scale while anticipating future technology developments, helping increase return on investment today while protecting that investment over time. The blade server chassis, power supplies, and midplane are capable of handling future servers with even greater processing capacity; future, higher-power CPUs; and future 40 Gigabit Ethernet standards that are expected to bring a total of 80 Gbps of bandwidth to each half-width blade server.
From a high-level perspective, the Cisco Unified Computing System consists of one or two Cisco UCS 6100 Series Fabric Interconnects and one or more Cisco UCS 5100 Series Blade Server Chassis populated with Cisco UCS B-Series Blade Servers. Cisco UCS Manager is embedded in the fabric interconnects, and it supports all server chassis as a single, redundant management domain.
Each chassis requires at least one 10 Gigabit unified fabric connection to a Cisco UCS 6100 Series Fabric Interconnect. A maximum configuration would occupy all 40 fixed ports of a redundant pair of Cisco UCS 6140XP Fabric Interconnects with 40 blade server chassis and a total of up to 320 blade servers. A typical configuration would have 2 to 4 unified fabric connections from each chassis to each of an active-active pair of switches.
For example, Figure 2 illustrates 36 blade server chassis connected to an active-active pair of fabric interconnects that support failover. Uplinks from the two fabric interconnects deliver LAN traffic to the LAN aggregation or core layer and SAN traffic through native Fibre Channel to either of SAN A or SAN B.
Figure 2. Example Cisco Unified Computing System with 36 Cisco UCS5100 Series Blade Server Chassis and 2 Cisco UCS 6140XP Series Fabric Interconnects
Figure 3 shows the components that make up the Cisco Unified Computing System:
● The unified fabric is supported by Cisco UCS 6100 Series Fabric Interconnects. The figure shows a Cisco UCS 6120XP Fabric Interconnect with 20 fixed ports and one expansion module slot.
● Cisco UCS Manager runs within the two Cisco UCS 6100 Series Fabric Interconnects and manages the system as a single, unified, management domain. The management software is deployed in a clustered active-passive configuration so that the management plane remains intact even through the failure of an interconnect.
● The unified fabric is extended to each of up to 40 blade chassis through up to two Cisco UCS 2100 Series Fabric Extenders per blade chassis, each supporting up to four unified fabric connections. Each chassis must have at least one connection to a parent Cisco UCS 6100 Series Fabric Interconnect.
Figure 3. The Cisco Unified Computing System Is Composed of Interconnects, Fabric Extenders, Blade Server Chassis, Blade Servers, CNAs, and Cisco Extended Memory Technology
● Up to eight Cisco UCS B-Series Blade Servers can be installed in a Cisco UCS 5100 Series Blade Server Chassis. The chassis supports half-width and full-width blades. Cisco UCS B-Series Blade Servers use Intel Xeon 5500 Series processors that deliver intelligent performance, automated energy efficiency, and flexible virtualization.
● Transparent access to the unified fabric is provided by one of three types of network adapters in a mezzanine card form factor optimized for different purposes: a virtual interface card that incorporates Cisco VN-Link technology and up to 128 virtual interface devices configured dynamically, converged network adapters (CNAs) that provide a fixed number of Ethernet and fibre channel over Ethernet (FCoE) connections and are compatible with existing Fibre Channel driver stacks, and a network interface designed to deliver efficient, high-performance 10 Gigabit Ethernet.
● Cisco Extended Memory Technology in the Cisco UCS B250 M1 Extended Memory Blade Server expands the memory footprint available to two-socket x86 servers. The extended memory blade server can support up to 384 GB of DDR3 memory with up to 48 industry-standard DIMMs.
Cisco ACI Application-Centric Approach to Managing Your Infrastructure – Cisco Nexus 9000 (ACI fabric mode)
Application Centric Infrastructure (ACI) in the data center is a holistic architecture with centralized automation and policy-driven application profiles. ACI delivers software flexibility with the scalability of hardware performance.
Cisco ACI consists of:
- The new Cisco Nexus 9000 Series Switches
- A centralized policy management and Cisco Application Policy Infrastructure Controller (APIC)
- A Cisco Application Virtual Switch (AVS) for the virtual network edge
- Software and hardware innovations
- Integrated physical and virtual infrastructure
- An open ecosystem of network, storage, management, and orchestration vendors
Key characteristics of ACI include:
- Simplified automation by an application-driven policy model
- Centralized visibility with real-time, application health monitoring
- Open software flexibility for DevOps teams and ecosystem partner integration
- Scalable performance and multi-tenancy in hardware
The future of networking with ACI is about providing a network that is deployed, monitored, and managed in a fashion that supports DevOps and rapid application change. ACI does so through the reduction of complexity and a common policy framework that can automate provisioning and managing of resources.
ACI architecture based upon:
Combine hardware, software, and ASIC innovations into an integrated systems approach to take advantage of standard Ethernet and IP protocols.
The extensible, object-oriented OS offers comprehensive programmability.
Application-level health scores, counters, and policies for both physical and virtual applications simplify troubleshooting and provide visibility.
Centralized Management, Automation, and Orchestration
A common management framework for network, application, security, and virtualization teams makes IT more agile.
ACI automates all fabric management tasks, including image management, configuration, and stitching of other networking infrastructure services such as firewalls and load balancers.
Mixed Workload and Migration Optimization for Any Application, Anywhere, Anytime
Facilitate provisioning of applications while promoting performance and visibility correlation between logical and physical networks.
Normalize physical and virtual server transport between different hypervisors and bare metal servers to ease migration from virtual to physical, or virtual to virtual.
Highly Secure Multi-Tenant Environment
Advance proper isolation and SLAs for different tenants while providing a consistent security policy across physical and virtual applications.
Data center teams define security and networking policies using a common policy language abstraction. This helps security teams to provide robust policy definitions independent of the network topology.
Extensibility and Openness
ACI supports an open ecosystem embracing open APIs, open source, and open standards. This provides the broadest choice in data center management and infrastructure.
ACI supports embracing open APIs, open source, and open standards. This provides the broadest choice in data center management and infrastructure.
A well-documented set of northbound and southbound APIs, available through the Cisco Developer Network, support rapid system integration and flexibility for:
- Layer 4-7 services
- Virtual network infrastructure
- Orchestration services
Investment Protection – People and Infrastructure
Take advantage of existing IT teams’ skillsets and infrastructure to lower overall TCO.
Innovative 40 Gb bi-directional optics allow for the reuse of current 10 Gb cabling to reduce costly fiber upgrades.
Cisco Nexus 9000 Series Switches bring new, industry-leading performance, power, port density, and open programmability innovations.
Cisco Application Virtual Switch (AVS) provides a consistent virtual switch infrastructure between ACI fabrics and the Cisco Nexus 1000V virtual switch for existing data center fabrics.
Cisco Application Policy Infrastructure Controller (APIC) programmatically automates network provisioning and control based on application requirements and policies.
Cisco Application Centric Infrastructure Security for data centers solves many complexities in customer environments. ACI Security treats firewalls as a pool of resources and intelligently stitches them according to application network policies. ACI Security offers full acceleration dynamically in hardware and directly integrates into ACI.
Cisco Services for ACI
Cisco Data Center Strategy and Analysis Service for Cisco ACI: Helps you develop a technology strategy for adopting Cisco ACI based on business and technology needs.
Cisco Data Center Assessment Service for Cisco ACI: Provides operations readiness, migration strategy, and process for future migrations.
Cisco Data Center Validation Service for Cisco ACI: Pilots the Cisco ACI solution with a simulator so you understand its capabilities and gain experience to reduce deployment risk.
Cisco Data Center Design Service for Cisco ACI: Helps you design a data center environment based on Cisco ACI, including infrastructure, fabric POD planning, and design with application policy templates.
Network-switch vendors will go broke if they are relying on Facebook for sales. Facebook now makes all its own network gear under the auspices of the Open Compute Project(OCP). From the OCP website: “A set of technologies that are disaggregated and fully open, allowing for rapid innovation in the network space. We aim to facilitate the development of network hardware and software — together with trusted project validation and testing — in a truly open and collaborative community environment.”
Most who follow data-center networking figured it was a matter of time before Facebook would design and build all the network equipment needed in its data centers. The first piece of equipment to be redesigned was the Top Of Rack (TOR) switch. The new TOR switch was code-named Wedge
What is OCP?
The Open Compute Project initiative was announced in April 2011 by Facebook to openly share designs of data center products. The effort came out of a redesign of Facebook’s data center in Prineville, Oregon. After two years, it was admitted that “the new design is still a long way from live data centers.” However, some aspects published were used in the Prineville center to improve the energy efficiency, as measured by the power usage effectiveness index defined by The Green Grid.
Components of the Open Compute Project include:
- Server compute nodes included one for Intel processors and one for AMD processors. In 2013, Calxeda contributed a design with ARM architecture processors.
- Open Vault storage building blocks offer high disk densities, with 30 drives in a 2U Open Rack chassis designed for easy disk drive replacement. The 3.5 inch disks are stored in two drawers, five across and three deep in each drawer, with connections via serial attached SCSI. Another design concept was contributed by Hyve Solutions, a division of Synnex in 2012.
- Mechanical mounting system: Open racks have the same outside width (600 mm) and depth as standard 19-inch racks, but are designed to mount wider chassis with a 537 mm width (about 21 inches). This allows more equipment to fit in the same volume and improves air flow. Compute chassis sizes are defined in multiples of an OpenU, which is 48 mm, slightly larger than the typical rack unit.
- Data center designs for energy efficiency, include 277 VAC power distribution that eliminates one transformer stage in typical data centers. A single voltage (12.5 VDC) power supply designed to work with 277 VAC input and 48 VDC battery backup.
- On May 8, 2013, an effort to define an open network switch was announced. The plan was to allow Facebook to load its own operating system software onto the switch. Press reports predicted that more expensive and higher-performance switches would continue to be popular, while less expensive products treated more like a commodity (using the buzzword “top-of-rack”) might adopt the proposal.
A similar project for a custom switch for the Google platform had been rumored, and evolved to use the OpenFlow protocol.
We are extremely excited about the upcoming Open Compute U.S. Summit 2015 on March 10-11, and apparently so is our community! Due to overwhelming response we are limiting the number of attendees and will not be accepting walk-ins or onsite registrations.
If you haven’t already done so, please register ASAP: https://www.eventbrite.com/e/open-compute-us-summit-2015-march-10-11-details-below-registration-12528804993
If you have already registered for this event and can no longer attend, please cancel your ticket so that others have a chance to register. We have removed all duplicate registrations. If you are unsure whether you are registered, please email us at events.
As always, you are welcome to watch via Livestream; details will be available on our website prior to the event.
If you still harbored any doubts that the web is now driving the future of IT, last week’s announcement that HP will offer disaggregated products for web-scale data centers via deals with Cumulus and Accton should be enough to convince you.
The deal itself is hardly monumental. HP inked a pair of “partnerships that will produce a branded white box switch capable of running multiple network operating systems.” And it comes on the heels of HP’s deal with Foxconn last year to build inexpensive cloud computing servers.
But as HP joins Juniper, Dell, and many others supporting the concepts behindFacebook’s Open Compute project, it’s becoming clear that the era of high-priced, proprietary networking hardware—not to mention servers—is drawing to a close.
And the web shall lead them…
The biggest, most advanced companies, the ones operating at “web scale,” are increasingly investing in cheap, generic, “white-box” hardware and using it to run whatever operating systems and software best fit their needs. That market has now grown to the point that the top networking vendors can no longer ignore the trend and have been forced to respond with offerings that take the new reality into account. Even if these products offer a paltry return compared to the cushy margins on their traditional gear, something is better than nothing. And as is often the case, they hope to make up at least some of the difference by selling “follow on service and support.”
Good luck with that. Just as the web has disrupted other consumer and enterprise business models, a similar dynamic is now sucking the money out of selling enterprise hardware.
Way back in 2013, I wrote that “if you want to see the future of enterprise technology, take a close look at companies like Google, Amazon, and Facebook.”
Just as HP has been forced to change how it does business to accommodate those leading-edge customers, the rest of the enterprise technology market won’t be far behind.
Market window closing
For now, there’s still plenty of room for expensive, proprietary networking hardware, but that won’t last forever. Inevitably, these web-scale white-box environments will trickle down into more and more use cases, continuing to shrink the market for proprietary solutions and put ever-increasing pressure on traditional networking vendors.
The biggest bellwether, of course, is Cisco, which was forced to eat CEO John Chambers’ words when it joined the OCP project late last year—after dissing it for months.
That was a big deal, but for now Cisco remains heavily dependent on proprietary products. Making the transition from that world to the new one won’t be easy for any networking vendor. But, as last week’s HP announcement proves, vendors really don’t have much of a choice.
For enterprises buying networking hardware, this is a mixed bag. In the short run, the transition will no doubt be bumpy, with lower prices balanced out by the difficulty in finding—and managing—the right solutions in an unstable market. In the long run, though, it seems clear to me that OCP is doing networking users a big favor by helping to pull costs out of the industry.
Deutsche Bank has signed a 10-year deal with HP to re-engineer the IT that underpins its wholesale banking arm in preparation for the next phase of its digital transformation.
The multi-billion euro deal will see the German banking giant use cloud platform HP Helion, modernising the IT that supports the bank’s applications.
It forms the next part of Deutsche Bank’s digital transformation. HP will provide datacentre services on-demand, including storage platforms as a service and hosting. The deal with HP will largely replace work previously carried out by in-house teams, with a small number of bank staff moving to the supplier.
The bank wants to re-engineer its underlying technology platform globally and standardise its IT foundations to support modern technologies such as automation. Once this is achieved, the infrastructure, which will harness mid-range systems, will support the introduction of digital services in the back office and for customers.
Deutsche Bank will retain control of IT architecture, application development and IT security.
Henry Ritchotte, COO at Deutsche Bank, said the agreement will enable the bank to standardise IT and reduce costs.
“Having a more modern and agile technology platform will further improve the bank’s ability to launch new products and services and lay the foundation for the next phase of its digital strategy,” he said.
As part of the deal, the bank will use a customised version of HP’s enterprise cloud platform, Helion, according to HP CEO Meg Whitman.
Deutsche Bank is investing in future technologies. It recently appointed its first chief data officer as part of its plan to introduce digital practices. JP Rangaswami joined from software-as-a-service giant Salesforce.com, where he had been chief scientist since 2010. Prior to that, Rangaswami had a five-year spell at BT and before that was CIO at investment bank Dresdner Kleinwort Wasserstein.
The bank is aware of threats to its business from companies such as Apple and PayPal in the payments market. Banks in the UK increasingly consider companies such as Google, Apple and Facebook as their biggest competitive threat. This trend is seeing banks look for partnerships in the IT industry, including joint ventures and investments in startups.
Deutsche Bank set up a joint innovation venture with IBM, Microsoft and Indian IT services firm HCL Technologies last year to improve its digital credentials.
Extend your datacenter to the cloud to provide organizations simpler management and greater flexibility. Hybrid cloud is
no longer just a “valid alternative”– it is now the differentiating factor for businesses that want to be competitive.
Get started through in-depth, technical resources for IT Pros to explore, learn and try required and deep dive into networking,
storage and disaster recovery scenarios.
Courses Sort by: Most Recent
Getting Great Performance out of Azure
Add to My Learning Plan
Add to My Learning Plan
Hybrid Cloud Websites
Add to My Learning Plan
The lawsuit was reportedly filed by Jessica N. Bennet in California, despite Lenovo admitting that pre-installing Superfish was a mistake and issuing an open-source tool to remove the software.
The tool is also designed to remove the self-signed root HTTPS certificate installed by Superfish that can intercept encrypted traffic for every website a user visits.
This introduced a security vulnerability because attackers could potentially use the certificate to create fake HTTPS websites that would not be detected as fakes by vulnerable Lenovo machines.
In other words, the vulnerability could enable attackers to impersonate shopping, banking and other websites and steal users’ credit card numbers and other personal data.
Lenovo said in a statement it had worked with Microsoft and McAfee. Security applications from both companies are also now able to remove Superfish software and certificates.
Remote monitoring of Lenovo users’ web activity
Superfish is also named as a defendant in the class action lawsuit that claims the software allowed remote monitoring of internet activity in violation of state and US federal privacy laws.
Bennet accuses Lenovo and Superfish of invading her privacy and making money by studying her internet browsing habits.
According to the lawsuit, Bennet noticed spam advertisements on a client’s website after writing a blog post for that customer, which she traced back to the Superfish software on her Yoga 2 laptop.
The court documents also claim that Superfish took up internet bandwidth and caused Bennet’s computer to slow down by using computer memory resources.
Lenovo has claimed that it stopped pre-installing Superfish in January 2015, but prior to that the software was installed on a wide variety of consumer PC series, including Flex, Miix and Yoga.
The company said the issue does not affect Lenovo ThinkPads, any tablets, desktops or smartphones, or any enterprise server or storage device.
The first complaints of Superfish on Lenovo’s laptops emerged in September 2014, but the security risks were uncovered last week by security researchers.
Lenovo said it had halted the installation of Superfish after customers complained about intrusive pop-up ads appearing on their browsers.
But the company said it was not aware of the security risks until last week and was “focused on fixing it”.
“We apologise for causing these concerns among our users – we are learning from this experience and will use it to improve what we do and how we do it in the future,” said a company statement.
Wider questions over security of Komodia code
But the security vulnerability may extend further than Lenovo because Superfish insists its software is safe and that the security flaw was introduced unintentionally by a third party, reports Phys.Org.
In an email to The Associated Press, Superfish identified that party as Komodia, a tech startup based in Israel that makes software for other companies.
This means any company or software using the same Komodia code as Superfish could be affected by the same security vulnerabilities as Superfish.
Once Upon a time, During a robbery incident in China town
1- Change the traditional way of Thinking:
One Thief shouted on people inside the bank “Don’t move the money belongs to the state while your life is yours
All people laid down on the floor gently
And this is called “Concept of change the way of thinking”
2- Focus on what you trained to do:
And When one lady laid on a table Provocatively
Thief shouted on her “Hey understand, This is robbery NOT raping”
And This is called “Professionalism”
3- Experience better than college qualification:
When thieves returned back to their base
The youngest one (Who has master degree in MBA) said to his senior (Who has just passed the 6th grade in school):
“Boss let us count How much money we earned! On the fly, his boss commented “Are you foolish, This is a big amount of money which will take us long time to count, so just be patient, we will get to know When they announce about the robbery on TV”
And this is called “Experience”
4- Turn catastrophe into benefits:
On the other hand after thieves left the bank,
The Bank Chief ordered his branch manager “hurry, Call the police cops”
But branch manager replied “Just wait a sec sir, before calling the police, let us take 80 Million of bucks for ourselves.
And This is What they call “Swimming with the current wave”
5- Enjoy makes Job bearable:
The branch manager said: “It will be so brilliant to have one robbery like this every month”
And this is What they call “Killing the routine”
6- Knowledge worths Gold:
It came in the news that there was a bank robbery of 100 Million US$,
Once the thieves heard the news, immediately they jumped and started counting the money again and again and OMG! it is only 20 Million dollars.
They got angry and said ” How come we took all this risk and done dirty work and we got is ONLY 20 Million While the Bank managers got the 80 Million without doing any efforts.
But they concluded that “It seems that to be an educated White collar better than being blue collar worker ”
7- Opportunity Hunting & Risk taking:
The Bank Chief was so happy since he covered all his losses in the stock market with this money and this is What they call “Utilising Opportunities ”
Microsoft made some big announcements this week. It opened the doors to Office — working with a variety of partners to integrate more cloud storage services into the Office ecosystem. The move makes it easier for Microsoft Office users to save and access their files from the cloud service they prefer. More importantly, it breaks down barriers and enables Microsoft Office to extend its influence across virtually all platforms and devices.
The #iMaCloudSoft #OffiOSx
There were two announcements from Microsoft. First, it opened access to third-party cloud storage providers to natively integrate into the Office apps for iOS. Previously, iOS users were limited to OneDrive and Dropbox, but now iCloud and Box have been added to the mix, and the option is there for other services to join the party.
The second part of the news is that Microsoft revealed its Cloud Storage Partner Program to enable cloud services to integrate the Office Online applications directly into their services. Box, Citrix, and Salesforce are early partners in the Microsoft initiative. Those are massive enterprise platforms with millions of users who will now be able to open, view, and edit documents using Office apps from within the services in their web browsers.
It wasn’t too long ago that Microsoft greedily kept Office just for its own platforms and devices — Mac OS X being the exception. Those were the Ballmer days. Under Satya Nadella’s leadership, Microsoft has embraced a strategy that is almost polar opposite: be ubiquitous.
Kirk Koenigsbauer summed up the Microosft blog post with, “Living in a cloud-first, mobile-first world is all about having the flexibility to get things done from anywhere and on any device. And these exciting, new features will make it easier than ever to use Office with virtually any combination of apps, platforms, and cloud storage services.”
The value of removing barriers and making it easy for customers to use Microsoft tools from anywhere and any platform isn’t new to Box. At face value, Box is a cloud storage service. Since its inception, though, it has focused on making data available when and where customers need it. Period.
“This next enterprise era will be defined by simple-to-use, modular services. IT organizations will get better innovation for their dollar, users will achieve more productivity, and vendors will build stronger ties to one another. Today’s move is an important accelerant to this trend,” noted Aaron Levie, CEO of Box, in a blog post announcing the integration of Box into Office. “Microsoft’s productivity technologies are used by a billion people globally, and in nearly every enterprise — its influence on the industry cannot be understated.”
The world where Microsoft has a monopoly or pseudo-monopoly on any platform or technology has all but disappeared. The new reality is a multi-device, multi-platform world. Any attempt to paint customers into a corner and lock them into a specific platform or device is essentially suicidal.
Microsoft’s new strategy takes a sort of “Trojan horse” approach to ruling the world once again. It can’t make everyone use Windows PCs, and Windows Phone smartphones have claimed only a negligible slice of the mobile device market. By freeing customers to use Microsoft tools on other platforms and devices, though, Microsoft will continue to be a dominant force — even on rival platforms like Android and iOS.
The OWASP Top Ten is a powerful awareness document for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are. Project members include a variety of security experts from around the world who have shared their expertise to produce this list.
We urge all companies to adopt this awareness document within their organization and start the process of ensuring that their web applications do not contain these flaws. Adopting the OWASP Top Ten is perhaps the most effective first step towards changing the software development culture within your organization into one that produces secure code.
The OWASP Top 10 – 2013 is as follows:
- A1 Injection
- A2 Broken Authentication and Session Management
- A3 Cross-Site Scripting (XSS)
- A4 Insecure Direct Object References
- A5 Security Misconfiguration
- A6 Sensitive Data Exposure
- A7 Missing Function Level Access Control
- A8 Cross-Site Request Forgery (CSRF)
- A9 Using Components with Known Vulnerabilities
- A10 Unvalidated Redirects and Forwards
The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. At OWASP you’ll find free and open …
All of the OWASP tools, documents, forums, and chapters are free and open to anyone interested in improving application security. We advocate approaching application security as a people, process, and technology problem, because the most effective approaches to application security require improvements in all of these areas.
OWASP is a new kind of organization. Our freedom from commercial pressures allows us to provide unbiased, practical, cost-effective information about application security. OWASP is not affiliated with any technology company, although we support the informed use of commercial security technology. Similar to many open source software projects, OWASP produces many types of materials in a collaborative, open way.
The OWASP Foundation is the non-profit entity that ensures the project’s long-term success. Almost everyone associated with OWASP is a volunteer, including the OWASP Board, Global Committees, Chapter Leaders, Project Leaders, and project members. We support innovative security research with grants and infrastructure.
If you are interested, the methodology for how the Top 10 is produced is now documented here: OWASP Top 10 Development Methodology
Please help us make sure every developer in the ENTIRE WORLD knows about the OWASP Top 10 by helping to spread the word!!!
As you help us spread the word, please emphasize:
- OWASP is reaching out to developers, not just the application security community
- The Top 10 is about managing risk, not just avoiding vulnerabilities
- To manage these risks, organizations need an application risk management program, not just awareness training, app testing, and remediation
We need to encourage organizations to get off the penetrate and patch mentality. As Jeff Williams said in his 2009 OWASP AppSec DC Keynote: “we’ll never hack our way secure – it’s going to take a culture change” for organizations to properly address application security.